Liferea Update Closes Security Hole

The new stable version 1.4.6 of the Liferea newsfeed reader fixes several bugs including a vulnerability.

In the release notes Lars Lindner reports that a bug concerning backups of the "feedlist.opml" file has been fixed. This is the file that Liferea uses to store the user’s news sources. After writing feedlist.opml, the program set incorrect permissions when creating the backup file. Local users could have exploited this to sniff passwords and user accounts on the system.

The vulnerability affects all versions including the current 1.4.6 version. Users are advised to update. The bugfix release is available as a source code archive from Sourceforge.